As a software developer who develops secure code, you must add vulnerability assessments to your list of code reviews. You know that the code you write using a web application framework may only be a small percentage of the overall web application code base. Most of the code to be compiled or interpreted for execution is locked away in libraries. Your web application depends on the code in these libraries. It represents a dependency vulnerability.
In this assignment, you’ll have an opportunity to be proactive in DevSecOps! You’ll find potential security vulnerabilities using the OWASP dependency scanner, an open-source scanner. It shows you potential security vulnerabilities known in the libraries of your code base. You can then adjust your use of libraries based on the dependency-check report. Doing the dependency-check process is recommended as part of DevSecOps. You have used a dependency check in the default configuration mode. Now, you’ll look at the configuration options to suppress the reporting of false positives.
In this assignment, you’ll find it is a good place to alter the current OWASP dependency check to suppress false-positive reporting. To alter it, you’ll need to create a suppression.xml file and revise the code in the pom.xml file of your software application. You’ll do this revision to change the configuration settings of the dependency check in Maven and point to this suppression.xml file.
Specifically, you must address the following rubric criteria:
<suppressionFiles>
<suppressionFile>suppression.xml</suppressionFile>
</suppressionFiles>
In addition to the dependency-check reports, be certain to zip the project folder in Eclipse and submit the refactored code, including suppression.xml and the revised pom.xml file.
Submit (1) your refactored code (which includes the suppression.xml file you created and the pom.xml file you revised) and (2) your text submission that includes the HTML link for the dependency-check report before reconfiguration and the HTML link for the new dependency-check report after the reconfiguration with no false positives shown. Note: Remember to submit the before and after files. Sources should be cited according to APA style.
The following resource supports your work on this assignment: